Skip to content

Risk Scoring

Melvin PETIT edited this page Jun 22, 2026 · 1 revision

Risk Scoring

DataShield computes two independent risk scores, both in src/lib/risk.ts and covered by src/lib/risk.test.ts:

  • a company-wide posture score, and
  • a per-employee score used to triage who is most at risk.

Both return an integer from 0 to 100, and every component caps the points it can contribute so no single signal alone pins the score at 100.

Company score

calculateRiskScore(...) blends three capped components:

Component Inputs Max points
Exposure compromisedEmployees / totalEmployees 40
Alerts criticalAlerts*12 + highAlerts*6 + mediumAlerts*2 40
Recency recentBreaches*4 20

With no employees the score is 0.

Per-employee score

employeeRiskScore(input, weights) scores one employee from their breach records and open alerts. Inputs are derived by buildEmployeeRiskInput:

Signal Meaning
recencyDays Days since the most recent detection, decaying to 0 over a 180-day window
hasSessionArtifact A stealer-log COOKIE or TOKEN was captured (replayable session, bypasses MFA)
hasCriticalData Exposed data includes password, credit card, SSN, bank account, or financial
domainMatch The address is on the company domain
openAlerts Open alerts for the employee (capped at 3)
breachCount Number of breach records (capped at 5)

An employee with no breach records scores 0.

Configurable weights

Per-employee weights are tunable per company. The defaults (DEFAULT_RISK_WEIGHTS):

Weight Default
session 30
recency 25
criticalData 20
domainMatch 15
openAlerts 10
breaches 10

Overrides are stored on Company.riskWeights (JSON) and merged onto the defaults by resolveRiskWeights, which keeps only finite, non-negative numbers for known keys, so a malformed override can never produce a broken score. Edit them via PATCH /api/company (riskWeights). Session artifacts carry the heaviest default weight because a captured session token hands an attacker a ready-to-replay login that MFA will not stop.

Risk levels

getRiskLevel(score) maps a score to a band for display:

Score Level
76-100 CRITICAL
51-75 HIGH
26-50 MEDIUM
0-25 LOW

See Breach Scanning for where artifacts and exposed-data types come from, and MFA Coverage for the MFA signal.

Clone this wiki locally